Merge c8a756ca3e into 1ce6e78dd4

django/contrib/auth/hashers.py

@@ -569,8 +569,11 @@ class BCryptPasswordHasher(BCryptSHA256PasswordHasher):
     issues.
 
     This hasher does not first hash the password which means it is subject to
-    bcrypt's 72 bytes password truncation. Most use cases should prefer the
+    bcrypt's 72 byte limit. With bcrypt version 5 or newer, a `ValueError`
-    BCryptSHA256PasswordHasher.
+    will be raised if the password exceeds 72 bytes. On older versions, the
+    password is silently truncated to 72 characters.
+
+    The BCryptSHA256PasswordHasher won't raise exceptions on longer passwords.
     """
 
     algorithm = "bcrypt"

tests/auth_tests/test_hashers.py

@@ -152,6 +152,20 @@ class TestUtilsHashPass(SimpleTestCase):
         self.assertTrue(check_password("", blank_encoded))
         self.assertFalse(check_password(" ", blank_encoded))
 
+    @skipUnless(bcrypt, "bcrypt not installed")
+    @override_settings(
+        PASSWORD_HASHERS=["django.contrib.auth.hashers.BCryptPasswordHasher"]
+    )
+    def test_bcrypt_truncation(self):
+        if bcrypt.__version__ >= "5.0.0":
+            with self.assertRaises(ValueError) as cm:
+                encoded = make_password(73 * "x", hasher="bcrypt")
+            self.assertIn("72 bytes", str(cm.exception))
+        else:
+            # Older versions silently truncated to 72 bytes
+            encoded = make_password(73 * "x", hasher="bcrypt")
+            self.assertTrue(check_password(72 * "x", encoded))
+
     @skipUnless(bcrypt, "bcrypt not installed")
     @override_settings(
         PASSWORD_HASHERS=["django.contrib.auth.hashers.BCryptPasswordHasher"]